Duane Morris Data Breach Class Action Review — 2024

same logic to the FTCA. Id. As to negligence damages, the court held that plaintiff failed “to show identity theft or loss in continuity of healthcare of any class members – only the possibility of each.” Id. Under Arizona law, negligence damages require more than merely a threat of future harm, and on their own, threats of future harm are not cognizable negligence injuries. Id. *5-6. Similarly, as to out-of-pocket expenses, the court opined that the plaintiff failed to demonstrate that her expenses were necessary because she did not properly show that Defendant ’ s identity monitoring services were inadequate. Id. at *6. Finally, the court recognized that merely alleging a diminution in value to somebody ’ s PII or PHI was insufficient. Id. Therefore, the court dismissed the plaintiff ’ s negligence claims. Turning to the plaintiff ’ s breach of contract claims, the court ruled that the plaintiff did not show cognizable damages, a reasonable construction for the terms of the contract, or consideration for the existence of an implied contract. Id. at *8. The court held that plaintiff ’ s FAC allegations only reflected speculative damages and did not allege proof of real damages. Id. The court opined that the plaintiff ’ s “vaguely pleaded” contract terms failed to show any language that would inform the terms of the agreement and the plaintiff did not point to any conduct or circumstances from which the terms could be determined. Id. at *7. Finally, the court determined that even if the defendant had an obligation to protect the data at issue, such pre-existing obligations did not serve as consideration for a contract. Id. Therefore, the court dismissed all breach of implied contract claims. Id. On the claim for breach of the implied covenant of good faith and fair dealing, the plaintiff argued that the defendant breached by failing to maintain adequate computer systems and data security practices, failed to timely and adequately disclose the data breach, and inadequately stored PII and PHI. Because the plaintiff failed to show an enforceable promise, the court held there could be no breach, and all claims for breach of the implied covenant of good faith and fair dealing were dismissed. Id. at *8. The court also dismissed plaintiff ’ s Fraud Act claims because the plaintiff failed to show cognizable damages. Id. at *9. The court reasoned that “[p]laintiff cannot simply argue that the system is inadequate because a negative result occurred.” Id. The court also determined that the plaintiff failed to demonstrate that the defendant ’ s security was inadequate when compared to other companies or any set of industry standards. Id. As to the plaintiff ’ s privacy claims, the court held that there were no cognizable claims for invasion of privacy or breach of privacy, and the plaintiff did not dispute these claims in her response. Id. Accordingly, the court granted the defendant ’ s motion to dismiss as to all claims, denied the plaintiff leave to amend her complaint, and dismissed the case with prejudice. In Baysal, et al. v. Midvale Indemnity Co., 78 F.4th 976 (7th Cir. 2023), the plaintiffs, a group of individuals requesting “instant quotes” for auto insurance, filed a class action alleging that the defendants, Midvale Indemnity and American Family Mutual, violated the Driver ’ s Privacy Protection Act (DPPA) and state negligence law. The plaintiffs specifically alleged that the website would allow a user to enter a stranger ’ s name and home address, leading the form to disclose the number of the stranger ’ s driver ’ s license with its auto-fill feature. The defendants filed a motion to dismiss pursuant to Rule 12(b)(1), and the district court granted the motion. The district court concluded that the plaintiffs failed to demonstrate concrete injuries traceable to the disclosure of driver ’ s license numbers. On appeal, the Seventh Circuit affirmed the district court ’ s ruling. The Seventh Circuit determined that any emotional distress claims were not sufficient to establish standing. Additionally, claims about paying for credit monitoring services were not relevant if the disclosed information did not facilitate identity theft or fraud. The Seventh Circuit further opined that driver ’ s license numbers were not analogous to other forms of private information that had been protected under common law. The Seventh Circuit explained that a driver ’ s-license number is not potentially embarrassing or an intrusion on seclusion, it is simply a neutral fact derived from a public records system, a fact legitimately known to many private actors and freely revealed to banks, insurers, hotels, and others. Id. at 980. Thus, the Seventh Circuit found that the plaintiffs had not plausibly alleged that the disclosure of their numbers caused them any injury, and the disclosure of a number in common use by both public and private actors did not correspond to any tort. Id. Without specific allegations connecting the disclosure to the asserted harm, the Seventh Circuit reasoned that the plaintiffs lacked standing to bring their claims. For these reasons, the Seventh Circuit affirmed the district court ’ s ruling. In the litigation entitled In Re GEICO Customer Data Breach Litigation , 2023 U.S. Dist. LEXIS 151535 (E.D.N.Y. Aug. 28, 2023), the plaintiffs filed a class action alleging that their personal information, including

14

© Duane Morris LLP 2024

Duane Morris Data Breach Class Action Review – 2024

Made with FlippingBook - professional solution for displaying marketing and sales documents online